What’s Breach & Attack Simulation?
What is breach and attack simulation (BAS)?
Breach and attack simulation is an offensive security testing method
in which security professionals,
along with automated tools,
continuously assess organizations systems’ preparedness to actual threats.
This is done following likely attack paths
and techniques of adversarial actors.
How does breach and attack simulation work?
A breach and attack simulation solution assesses security controls
across different systems
(e.g., applications, networks, cloud infrastructure, containers).
Some of the controls
that have gained the most attention
could be summarized in the following categories:
-
Application security testing:
These are controls to identify vulnerabilities
in proprietary and third-party software. -
Identity and access management:
These are controls to manage subjects
and ensure proper authentication and authorizations
to access specific objects. -
Network protection:
These are controls to detect and counter intrusion and malicious traffic,
restrict access and monitor data, among other functions. -
Data storage security:
These are controls to ensure the confidentiality,
integrity and availability of stored data.
Accordingly,
the attack simulations include malware attacks on endpoints,
delivery of malicious email attachments,
web-based attacks,
data exfiltration,
system abuse
and lateral movement through the network.
The attacks are comprehensive and continuous,
evolving with threats.
Admittedly,
most breach and attack simulation services in the market
rely only on automation.
The most basic services assess internal network security,
scanning for issues that match a database of known vulnerabilities.
Other tools are able to generate malicious traffic
following the logical steps of known techniques.
They check the readiness of organizations’ technologies,
such as intrusion prevention systems (IPS)
and security information and event management (SIEM),
to detect and block such traffic.
Yet another set of tools simulate studied attack tactics,
techniques and procedures (TTPs) across systems
to check whether security defenses can be bypassed.
Some providers liken the latter tools’ capabilities
to the work of a purple team
by articulating red and blue team exercises (though automated).
We will expand on this in a future blog post.
Breach and attack simulation tools may produce results faster than humans,
but accuracy is a concern.
Automation is prone to errors in its reports
(false positives and false negatives).
What’s more,
these technologies have to be updated constantly
after understanding the latest TTPs of advanced persistent threats (APT).
The precious time between the updates
and fixing the security issues
can be the opportunity for adversarial attackers to test their luck
in gaining access to sensitive resources.
That’s why we at Fluid Attacks recommend a combination of automation
and manual assessments by security professionals.
Highly certified ethical hackers’ work can be aided by automated tools.
These professionals are up to date on the TTPs of malicious threat actors,
after which they conduct analyses and create custom exploits
to bypass defenses.
Unlike tools,
hackers can get to work as soon as the threats are announced
by cybersecurity researchers and response teams,
among other entities (e.g., the US Computer Emergency Readiness Team).
And their assessments might not be limited
to the controls from the MITRE ATT&CK (adversarial tactics,
techniques and common knowledge) framework
and the NVD (National Vulnerability Database).
Why do organizations conduct breach and attack simulations?
What are the implications of vulnerable systems?
Those include risks of successful attacks
whose impacts range from compromised information and data breaches
to the temporary shutdown of critical services.
With the global costs of cyberattacks only getting higher
(estimated
to be 8 trillion dollars in 2023),
technology development companies must take measures.
What they look for is a solution to detect security issues
that could compromise their system’s availability
and their data and that of users.
For this purpose,
there are several security testing tools in the market.
High rates of false positives and false negatives aside,
automated tools can identify known vulnerabilities and issues.
Some of which may have been exploited already by malicious threat actors.
But the tools cannot say
whether the assessed systems can withstand real attacks.
Being up to date on actual and current threats is a priority,
since the cybersecurity environment is constantly evolving.
Just think of the advancing technological trends
that connect us more and more to a digital world.
For example,
new Internet of Things devices flood the market
(doorbells, speakers, toothbrushes, you name it),
and they are generally lacking in terms of security
or improperly configured by users.
Threat actors move at the speed of software innovation,
testing ways to exploit vulnerable new technology.
In this landscape,
teams validating the security of these products are required
to think like hackers.
What BAS brings organizations is a methodology
for challenging their security controls
with the purpose of optimizing them.
The relentless simulated attacks are specially crafted
and done along the whole cyber kill chain
targeting critical assets.
To prevent a breach,
attack simulation is a possible path.
What are the benefits of breach and attack simulations?
The following are the main benefits
teams can expect from an advanced BAS solution:
-
It conducts security testing reproducing scenarios
in which real threat actors today would
attempt to bypass networks’ defenses. -
It tests a wide variety of security requirements,
not only in internal networks but also in the enterprise perimeter. -
It helps organizations validate areas of most exposure to risk
in their networks
so they can prioritize cybersecurity spend.
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Jason Chavarría. Read the original post at: https://fluidattacks.com/blog/what-is-breach-attack-simulation/
